How to rescue your PC from ransom-ware
Don't negotiate with e-terrorists. Be a hero and rescue your hostage PC. With nasty malware like Locky making the rounds—encrypting its victims’ files, and then refusing to unlock them unless you pay up—ransomware is a serious headache. But not all ransomware is so difficult.You can remove many ransomware viruses without losing your files, but with some variants that isn’t the case. In the past I’ve discussed general steps for removing malware and viruses, but you need to apply some specific tips and tricks for ransomware. The process varies and depends on the type of invader. Some procedures involve a simple virus scan, while others require offline scans and advanced recovery of your files. I categorize ransomware into three varieties: scareware, lock-screen viruses, and the really nasty stuff.
The really nasty stuff
Removing ransomwareBefore you can free your hostage PC, you have to eliminate the hostage taker.
If you have the simplest kind of ransomware, such as a fake antivirus program or a bogus clean-up tool, you can usually remove it by following the steps in my previous malware removal guide. This procedure includes entering Windows’ Safe Mode and running an on-demand virus scanner such as Malwarebytes.
If the ransomware prevents you from entering Windows or running programs, as lock-screen viruses typically do, you can try to use System Restore to roll Windows back in time. Doing so doesn’t affect your personal files, but it does return system files and programs to the state they were in at a certain time. The System Restore feature must be enabled beforehand; Windows enables it by default.
- Shut down your PC and locate the F8 key on your PC’s keyboard.
- Turn the PC on, and as soon as you see anything on the screen, press the F8 key repeatedly. This action should bring up the Advanced Boot Options menu.
- Select Repair Your Computer and press Enter.
- You’ll likely have to log on as a user. Select your Windows account name and enter your password. (If you don’t have a password set, leave that blank.)
- Once logged on, click System Restore.
Windows 8, 8.1, or 10
- If your PC boots to the Windows login screen, hold the Shift key, click the power icon, and select Restart.
- It should reboot to the recovery screens.
- Select Troubleshoot > Advanced Options > System Restore.
If System Restore doesn’t help and you still can’t get into Windows to remove the ransomware, try running a virus scanner from a bootable disc or USB drive; some people refer to this approach as an offline virus scan. My favorite bootable scanner is from Bitdefender, but more are available: Avast, AVG, Avira, Kaspersky, Norton, and Sophos all offer antivirus boot-disk software.
Recovering hidden and encrypted filesWith that out of the way, it’s time to repair the damage. If you’re lucky, your PC was infected by malware that didn’t encrypt your data. If it appears you’re missing stuff though, the malware may have merely hid your icons, shortcuts, and files. It usually does this by making the files “hidden.” Here’s how to check, depending on your OS version:
- Open Computer.
- Press the Alt key and select Tools.
- Click Folder Options and select the View tab.
- Select Show hidden files, folders, and drives, and then click OK.
Windows 8, 8.1, and 10
- Open a File Explorer window.
- Select the View tab on the top pane.
- Check Hidden items.
This is why we constantly tell you to back up your PC on a regular basis.
If you previously set and created backups, scan them for viruses on another PC (one that is not infected) if at all possible. If all of your important files are backed up, you can proceed in removing the malware and then simply restoring your backed-up files.
If you don’t have a backup system in place, you might be able to recover some files from Shadow Volume Copies—if the malware hasn’t deleted them. Shadow Volume Copies is part of Windows’ System Restore feature. Either right-click on the files or folders you want to restore and open Properties to view the Previous Versions list, or use a program called Shadow Explorer to browse the snapshots.
But don’t rely on that. Start backing up your PC today, and do it regularly.
Preventing ransomware and malware infectionsAvoiding ransomware is much the same as avoiding other types of other malware.
Always run a good antivirus utility and keep Windows and browser-related components (Java, Adobe, and the like) updated. Keep your browser clean of junk toolbars and add-ons to prevent adware invasions that could lead to malware infections. Always, always be wary of unexpected email attachments and spam.
And just to beat this dead horse one more time: Always have a good backup system in place, just in case your PC does become infected and you can’t recover your files. Yes, it’s that important.
Editor's note: This article was oroginally published January 13, 2014, and updated April 3, 2017.